2

我有Wireshark 创建的PcapNG文件,我尝试使用python-pcapng.

但是,我无法弄清楚如何协调从FileScanner's收到的输出packet_payload_info802.11 数据帧格式802.11 数据帧格式

这是我得到的输出(我的代码在底部):

magic_number 0xa0d0d0a
SectionHeader(version_major=1, version_minor=0, section_length=-1, options=Options({'shb_userappl': [u'Dumpcap 1.12.4 (v1.12.4-0-gb4861da from master-1.12)'], 'shb_os': [u'Mac OS X 10.10.2, build 14C109 (Darwin 14.1.0)']}))

magic_number 0x1
InterfaceDescription(link_type=127, reserved='\x00\x00', snaplen=262144, options=Options({'if_os': [u'Mac OS X 10.10.2, build 14C109 (Darwin 14.1.0)'], 'if_tsresol': [6], 'if_name': [u'en1']}))

magic_number 0x6
EnhancedPacket(interface_id=0, timestamp_high=332139, timestamp_low=2801116064L, packet_payload_info=(45, 45, '\x00\x00\x19\x00o\x08\x00\x00`I\xb2&\x00\x00\x00\x00\x12\x18q\x16@\x01\xb1\xaa\x00\xb4\x00\x90\x00\xf4\x0f\x1b\xb8sL`\x92\x175\x00\x01\xe3\xcf\x00\x12'), options=Options({}))

packet_payload_info      : (45, 45, '\x00\x00\x19\x00o\x08\x00\x00`I\xb2&\x00\x00\x00\x00\x12\x18q\x16@\x01\xb1\xaa\x00\xb4\x00\x90\x00\xf4\x0f\x1b\xb8sL`\x92\x175\x00\x01\xe3\xcf\x00\x12') 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 60 49 B2 26 00 00 00 00 12 18 71 16 40 01 B1 AA 00 B4 00 90 00 F4 0F 1B B8 73 4C 60 92 17 35 00 01 E3 CF 00 12 

packet_payload_data (bin): 00000000 00000000 00011001 00000000 01101111 00001000 00000000 00000000 01100000 01001001 10110010 00100110 00000000 00000000 00000000 00000000 00010010 00011000 01110001 00010110 01000000 00000001 10110001 10101010 00000000 10110100 00000000 10010000 00000000 11110100 00001111 00011011 10111000 01110011 01001100 01100000 10010010 00010111 00110101 00000000 00000001 11100011 11001111 00000000 00010010

你能告诉我packet_payload_data802.11 数据帧的位置吗?*

  • 即,它的第一个字节在帧中的位置

Python代码:

#!/usr/bin/env python

from pcapng import FileScanner

def hex_str_to_num(hex_str,out_format='X'):
    if out_format.upper() == 'B':
        return ' '.join(format(ord(x), out_format).zfill(8) for x in hex_str)
    else:
        return ' '.join(format(ord(x), out_format).zfill(2) for x in hex_str)


PCAPNG = "/cygdrive/c/tmp/trace3.pcapng"
MAX = 3
ENHANCEDPACKET_ID = 6

with open(PCAPNG, "r") as pcapng_file:
    scanner = FileScanner(pcapng_file)
    counter = MAX
    for block in scanner:
        print
        print "magic_number",hex(block.magic_number)
        print block

        if block.magic_number == ENHANCEDPACKET_ID:
            print
            payload_data = block.packet_payload_info[2]
            print "packet_payload_info      :",block.packet_payload_info,"\n"
            print "packet_payload_data (hex):",hex_str_to_num(payload_data,"X"),"\n"
            print "packet_payload_data (bin):",hex_str_to_num(payload_data,"b")

        counter -= 1
        if not counter:
            break

编辑1:

如果我打印几个EnhancedPacketpacket_payload_data我注意到它们都以00 00 19 00 6F 08 00 00. 现在,08是数据帧标记,这让我怀疑它packet_payload_data不仅是有效载荷数据,还包括帧控制位。

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 60 49 B2 26 00 00 00 00 12 18 71 16 40 01 B1 AA 00 B4 00 90 00 F4 0F 1B B8 73 4C 60 92 17 35 00 01 E3 CF 00 12 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 92 49 B2 26 00 00 00 00 12 18 71 16 40 01 CD AA 00 C4 00 60 00 60 92 17 35 00 01 F7 65 6E 79 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 09 4A B2 26 00 00 00 00 12 18 71 16 40 01 CA AA 00 94 00 00 00 60 92 17 35 00 01 F4 0F 1B B8 73 4C 04 00 C0 23 FF FF FF FF FF FF FF FF 58 D0 59 5C 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 5F 51 B2 26 00 00 00 00 52 6C 71 16 40 01 B2 AA 00 B4 00 1C 1B F4 0F 1B B8 73 4C 60 92 17 35 00 01 33 20 02 04 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 86 51 B2 26 00 00 00 00 12 6C 71 16 40 01 CA AA 00 C4 00 4C 00 60 92 17 35 00 01 EE 12 B7 D7 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 EE 53 B2 26 00 00 00 00 12 6C 71 16 40 01 B1 AA 00 B4 00 74 00 F4 0F 1B B8 73 4C 60 92 17 35 00 01 33 20 02 04 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 15 54 B2 26 00 00 00 00 12 6C 71 16 40 01 CB AA 00 C4 00 4C 00 60 92 17 35 00 01 EE 12 B7 D7 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 98 56 B2 26 00 00 00 00 52 6C 71 16 40 01 B2 AA 00 AB 00 74 00 F4 0F 1B B8 73 3C E4 44 DF 67 09 14 3A 0A 24 04 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 C0 56 B2 26 00 00 00 00 12 6C 71 16 40 01 CB AA 00 C4 00 4C 00 60 92 17 35 00 01 EE 12 B7 D7 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 E8 58 B2 26 00 00 00 00 12 18 71 16 40 01 B1 AA 00 B4 00 90 00 F4 0F 1B B8 73 4C 60 92 17 35 00 01 E3 CF 00 12 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 1B 59 B2 26 00 00 00 00 12 18 71 16 40 01 CD AA 00 C4 00 60 00 60 92 17 35 00 01 F7 65 6E 79 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 92 59 B2 26 00 00 00 00 12 18 71 16 40 01 CA AA 00 94 00 00 00 60 92 17 35 00 01 F4 0F 1B B8 73 4C 04 00 D0 23 FF FF FF FF FF FF FF FF B0 51 F7 7B 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 A0 69 B2 26 00 00 00 00 12 6C 71 16 40 01 C6 AA 00 B4 00 C0 00 50 2E 5C DA 81 9D F4 0F 1B B8 73 4C B4 E2 C5 B7 

packet_payload_data (hex): 00 00 19 00 6F 08 00 00 17 6A B2 26 00 00 00 00 12 6C 71 16 40 01 C5 AA 00 B4 00 C0 00 50 2E 5C DA 81 9D F4 0F 1B B8 73 4C B4 E2 C5 B7
4

1 回答 1

1

首先,不要假设,仅仅因为您在 802.11 接口上捕获,帧数据以 802.11 标头开头。它可能以“无线电元数据”标头开头,例如,其后是 802.11 标头。

所有读取 pcap-ng 文件的程序必须:

  • 阅读所有接口描述块,并至少记住该 IDB 的序号(稍后将用作接口 ID)和接口的 LinkType 值;
  • 处理数据包块时,查找具有指定接口 ID 的接口的 LinkType 值,并使用它来解释原始数据包数据。

LinkType 值的官方列表指示了这些值是什么以及应如何解释该值的数据包数据。永远永远永远永远不会假设数据包数据会是什么样子;始终检查 LinkType 值。

(这也适用于 pcap 文件;始终检查文件的链接层标头类型。)

现在,请注意,00 00 19 00 6F 08 00 00它可能是radiotap标头的开头,版本值为 0,填充字节为 0,little-endian 长度为 25 个字节,第一个存在位字为 0x0000086F。该存在位字表示存在的字段将是TSFT(8 字节)、标志(1 字节)、速率(1 字节)、信道(4 字节)、天线信号(1 字节)、天线噪声(1字节)和天线(1字节)。版本、填充字节、长度和存在位字为 8 个字节,总共 8+8+1+1+4+1+1+1 = 25 个字节。

所以我绝对不会假设您正在查看 802.11 标头!您必须检查 LinkType;如果是 127 (LINKTYPE_IEEE802_11_RADIOTAP),则数据包以 radiotap 标头开头,然后是 802.11 标头。如果是 105 (LINKTYPE_IEEE802_11),它们以 802.11 标头开头。

802.11 标头,无论是在 radiotap(或其他无线电元数据)标头之后还是在原始数据包数据的开头,都是原始 802.11 标头,因此它以帧控制字段开头,然后是持续时间,依此类推。

于 2015-03-30T19:15:59.600 回答